We care deeply about the security of our systems, data, and users. If you've discovered a vulnerability or security issue in one of our services, we’d genuinely appreciate your help in reporting it to us — responsibly and privately.
What We Ask From You
If you’ve found something concerning, please:
- Give us the chance to fix it before you make it public.
- Avoid accessing or modifying data that isn’t yours.
- Don’t disrupt our services or the experience of other users.
- Use your own accounts when testing, not mass registration or fake signups.
- Stay clear of DoS/DDoS, spam, automated scanner reports, or social engineering attacks.
What is in our Scope
Please focus on issues in services that are created or hosted by us.
Examples of eligible bugs and vulnerabilities are:
- Injections and deserialization vulnerabilities
- Underprotected APIs or Apps
- Known and zero-day vulnerabilities under the spotlight
- Cross-Site Scripting
- Open redirect
- Cross-Site Request Forgery
- File Inclusion
- Authentication Bypasses
- Server-Side Code Execution
What is not in our scope
Reports about vulnerabilities in third-party platforms or dependencies (e.g. cloud providers, managed services) aren’t in our scope.
Examples of non eligible bugs are:
- Output of well-known automated tools/solutions
- Output of AI-based tools without clear foundation and explanation
- Missing Cookie flags on non-session cookies or 3rd party cookies
- Logout CSRF
- Social engineering
- Denial of service
- Weak TLS ciphers
- Email spoofing, SPF, DMARC & DKIM
- Brute force attacks
- Password policy improvements
- Hardening tips (such as missing CSP header or SRI attribute)
How to Report
Please reach us securely via:
Email: security@wemolo.com
PGP Key: https://www.wemolo.com/security-wemolo-public.pub.asc
security.txt: https://www.wemolo.com/.well-known/security.txt
We aim to respond to your report within 24 hours.
What You Can Expect
If you follow these guidelines, we’ll:
- Not pursue legal action against you for good-faith research under this policy.
- Treat your report with respect and gratitude.
- If provided, treat your your personal data (such as an IP address) confidentially and only pass it on if it is necessary to fix the vulnerability or required by law.
- Work with you to understand and validate the issue.
- Keep you updated during the fix process.
Please note: We don’t currently offer a reward, bug bounty or public acknowledgment program for contributions, but decide on a case-by-case basis.
Let us know if you’d like to review updates, test patches, or just chat security — we’re always happy to connect with thoughtful researchers.
Thank you for helping us build a safer internet.
